Epistemic Logic and its Applications: Tutorial Notes

Ernest Davis∗

New York University

New York, New York

Leora Morgenstern

IBM Watson Research Center

Hawthorn, New York

August 28, 1983

1 Introduction

It is to the advantage of a thinking creature to be aware of knowledge and thought and to be ableto reason about them. If the creature has to interact with other thinking creatures, then reasoningabout their mental processes is often necessary to understand and predict their behavior. Even if thecreature is alone, stranded on a desert island, the ability to reason about its own mental life will bevaluable. A Robinson Crusoe robot will need to make plans involving the gaining and maintainingof knowledge, such as, “If I want to learn my way around the island, I should go to the top of thebig hill,” or “If I want to avoid being eaten, I should keep a close watch.”

The distribution of information among autonomous agents, the transferral of information betweenagents, and the gain and loss of information by agents over time are critical characteristics of manyenvironments. This is particularly true of environments where computers are applied, since thecontrol and distribution of information is a primary function of computer systems and a centralissue in computer science. It can be very valuable in analyzing any such environment to be able torepresent explicitly and to reason about the state of information and the dynamics of information.Formalisms that support such representation and such reasoning are called logics of knowledge orepistemic logics.

The applications for epistemic logics in artificial intelligence, in computer science generally, andin other fields are numerous:

AI Applications

Planning

In many cases, an agent is initially ignorant of information that he needs to achieve a given goal,but he knows how to acquire the information. In that case, he may plan to acquire the necessaryinformation and then to use that information in further steps of planning. For example, if Debbywants to read Moby Dick but does not know where her copy is on her bookshelf, then she can formthe plan, “Look through the book case; take the book from its place; read it.” Here the purpose ofthe first step of looking through the shelf is to determine the place of the book, a datum needed forthe second step of the plan, grasping the book.

∗The preparation of these notes was supported in part by NSF grant #IRI-9001447

1

In order to construct or analyze such plans, a reasoner needs to be able to reason about

• What knowledge the agent has and what knowledge he lacks. For example, Debby knows thatthe book is on the shelf; she does not know where.

• What knowledge it needs to carry out specific actions and specific plans. For example, Debbyneeds to know where the book is in order to grasp it.

• How actions produce knowledge. For instance, if Moby Dick is on the shelf, then after scanningthe shelf, Debby will know where Moby Dick is.

We will study this kind of planning in section 2.3.

Motivation Analysis

A large part of the interpretation of natural language text and a large part of the understandingnecessary for correct social behavior is motivation analysis, determining the reason for other agents’perceived behaviors. To carry out motivation analysis it is necessary to understand how an agent’sknowledge and beliefs affect how he pursues his goals. For example, if an intelligent system sees or istold that Jack anxiously reads through the Help Wanted ads every morning, it should infer that Jackwishes to know about job openings; further, that Jack probably wishes to apply for a job; further,that Jack is probably either unemployed or profoundly dissatisfied with his current position. If thesystem hears Sarah ask it for the time, it should infer that Sarah probably does not know the time.

Active Perception

To use high-level reasoning to guide the focus of a sensor, the reasoner must know the powers of thesensor and how knowledge can be gained through its perceptions. For example, a robot who wishesto determine whether a dark patch on a perceived object is a mark or a shadow may decide to lookat the point where the object casting the shadow would have to be. To do this, it must deduce thatif there is an object casting the shadow, then it will be able to see the object if it looks in the properdirection. Another example: As before, Debby is looking for Moby Dick on her bookshelf. She canknow that scanning will work if she knows (1) that a particular trajectory of the sensor will bringevery book on the shelf into view; (2) that if she scans slowly enough, she will be able to recognizeMoby Dick when she passes it.

Speech Acts

The right choice of what to say in a given situation often depends on what the person you are talkingto knows. For example, if a person points to your dog and says, “What is that?” then the correctanswer may be

• “That’s a dog” if the questioner is a two-year old.

• “A Yorkshire terrier” if the questioner is an adult.

• “Yes, he’s had that limp since Tuesday” if the questioner is your vet.

Pursuing a conversation often requires a large degree of mutual understanding and commonknowledge among the conversants. Suppose that, in the course of conversation, Bob asks Karen,

2

“And what did she say to him?” and Karen answers, “She said she wouldn’t trust him as far as shecould kick him.” After Karen answers, Bob must know that Karen knows who are the people andthe circumstances under discussion; otherwise, Bob will worry about some confusion between Karenand himself. Therefore, when she answer thus, Karen must know that Bob will know that Karenwill know the subject of the discussion. Therefore, when Bob asks the question, Bob must knowthat Karen will know that Bob will know that Karen will know the subject of discussion. And soon.

Grice’s (1967) well known Maxim of Quantity , “Make your contribution as informative as isrequired but not more informative than is required,” depends for its use on an understanding ofwhat information is already held and what information is required; that is, on an understanding ofthe knowledge and the knowledge goals of the other speaker. The same holds in many cases for theinterpretation of indirect speech acts; for distinguishing the new from the given in discourse analysis;and for many other aspects of discourse analysis.

Intelligent CAI

Ideally, an automated tutor would maintain a model of what a student knows, how he reasons, andhow he learns. The model could be initialized by combining generic information about what studentsat his level characteristically and can do with data specific to the individual (e.g. test scores.) Thetutor should be able to update and correct the model using its knowledge of what the student hasbeen taught (by itself and others) and by observing the student’s actions and responses. It shouldbe able to use the model to plan an effective teaching strategy.

Non-monotonic logic

An important category of defeasible inference is the autoepistemic inference, in which an agent infersthat φ must be false from the fact that he does not know φ to be true. For example, I know thatMark Twain was never governor of New York, not because I have ever read specifically that he wasnot, nor because I can enumerate all the governors, nor because I know everything that Mark Twainever did, but just because I may safely presume that I would have heard about it if he had been.Characterizing autoepistemic inferences requires a theory that combines a logic of knowledge witha logic of defeasible inference; the form of such a logic and the scope of the autoepistemic inferenceas a model for defeasible inference generally are areas of current research.

Design of Intelligent Systems

At the meta-level, it may be able be possible to custom design an AI program for a specific applicationfrom specifications which describe what kinds of things the program can know; how this knowledgeis gathered and how it can be augmented; and how the program should behave under various statesof knowledge. For example, Rosenschein and Kaelbling (1986) describe a program which accepts asinput a high-level description of a reactive robot, in terms of what the robot learns from its sensorsand how it should respond, and generates as output a circuit diagram that implements this behavior.

Meta-level reasoning at run-time about a knowledge base’s own knowledge and own reasoningcapacities may likewise be important. For example, the controller for an inference engine may usea high-level characterization of the knowledge in a knowledge base to choose to pursue one path ofinference over another.

3

Applications in General CS

Distributed Systems

Epistemic logic is a promising tool for analyzing distributed systems; this application has beenvery extensively studied. In this approach, the state of a distributed system is characterized usingepistemic concepts, such as,

• The information available to each processor (what the processor “knows”);

• The information needed by the processor (what it wants to know);

• What each processor knows about what the other processors know;

• What is potentially known when the information of all the processors has been pooled;

• What is common knowledge among the processors.

The dynamics of the distributed system is characterized in terms of the transfer of informationamong the processors though communication. The validation of a protocol P consists, in general,in proving a result of the form, “If P is executed under circumstances C, then, when P is complete,such and such a state of knowledge is attained in the system.”

For example, one problem in distributed systems is to develop a protocol allowing the processorsto come to a joint decision on a question and to commit to it. This is often modelled through theparable of the Byzantine generals.

Two Byzantine armies lie on opposite sides of a Saracen army. If the two armies bothattack simultaneously, they can defeat the Saracens; if only one attacks, then the Sara-cens will first defeat the attacking army, then defeat the other army. The Byzantinegenerals must therefore coordinate their attacks by sending messengers back and forth.Unfortunately, the general sending a messenger cannot ever be sure that he will getthrough.

It is then possible to prove the following depressing theorem (Halpern and Moses, 84):

No prearranged communications protocol can guarantee that both generals will attack,even if all the messengers do, in fact, get through.

The proof is essentially as follows: Consider the last message to be sent in a given protocol;let us say that this is A sending message M to B. The protocol must specify what B should do ifhe receives various messages at this point and what he should do if he fails to receive a message.Moreover, there must be some circumstances under which B will attack and some under which hewill fail to attack; otherwise, why send a message? Now, one of the two following possibilities musthold:

1. It is agreed that B will not attack if he does not get a message, but will attack if he gets messageM. Now, if A sends M, he cannot be sure whether B will get M and attack, or whether B willnot get M and not attack.

2. It is agreed that B will attack if he does not get a message, but will not attack if he getsmessage N. Now, if A sends N, he cannot be sure whether B will get N and not attack orwhether B will fail to get N and attack.

Thus, if A’s message makes any difference, A cannot be sure that B will attack.

4

Security

The central issue in computer security is one of controlling access to knowledge; we wish to guaranteethat, unless an agent knows P (the password) he cannot find out Q (the information). In the case ofpublic key encription schemes, where a decryption key D is publically known but the correspondingencription ken E is to be kept private (or vice versa), the issue is to guarantee that E cannot becomputed from D without inordinate computational resources.

Zero-knowledge interactive proofs (Goldwasser, Micali, and Rackoff, 85) add another twist. Hereone person holding the encryption key E must convince another person holding D that he does,indeed, know E; but he must do so in a way that does not tell the other anything that will help himcompute E.

Economics and Game Theory

Epistemic logic has also been applied outside of computer science, particularly to economics andgame theory. In economics, it arises through the fact that the value of an investment to you isinfluenced heavily by how you think other people will gauge its value. In particular, if you canbuy an investment (a share of stock, say) at price P, then that is prima facie evidence that theseller thinks that it is worth less than P, and, assuming that the seller is not a fool, this shouldpresumably influence one’s own thinking. The analysis of such situations thus naturally leads toconsidering imbedded levels of belief and considering how knowing other peoples’ beliefs should affectone’s own (Aumann, 76), (Geanakopolos, 90).

Another point where epistemic logic meets economics is in analyzing the economics of informationas a commodity of value and of information processing as an economic activity (Allen, 90).

2 Representation and Inference

In this tutorial, we will focus on three questions:

• Representation: How can facts about the knowledge of agents be expressed symbolically?

• Inference: Given a collection of facts about knowledge, what further facts can be reasonablydeduced?

• Semantics: What does a sentence in our representation actually mean?

A framework which specifies the form of answers to these three questions for a given domain iscalled a logic of the domain. logic of knowledge and belief is called an epistemic logic.

The most familiar logics, both in mathematical logic and in AI, are the extensional logics, suchas propositional logic and predicate calculus, which characterize objects and their properties. Suchlogics allow the expression of statements such as “Joe is a boy,” “All men are mortal,” “Every personhas two parents,” and so on.

But the relation “A knows φ” is very different in its logical structure than a relation like “X isblue” and epistemic logics must therefore address a number of issues that do not arise in extensionallogics:

• The predicate “blue” applies to objects: the ball is blue, the Empire State Building is notblue. It is not meaningful to say that the fact “George Washington was born in 1732” is

5

blue. The operator “know” applies to sentences: One may know, or fail to know, that GeorgeWashington was born in 1732; that the Empire State Building is not blue. One cannot knowan object (except in the sense of being acquainted with it).

In particular, the operator “know” is self-embedding; one may know facts about knowledge.Mark knows that Leslie know that Star Trek is on at 7:00; Sam knows that he does not knowhow to spell “protocol”. By contrast the fact that “the ball is blue” cannot be said to be blue.

• The predicate “blue” is referentially transparent; that is, it applies to an object independentlyof how that object is named. Given that Lake Superior is the largest fresh-water lake, we caninfer that Lake Superior is blue if and only if the largest fresh-water lake is blue. The operator“know” is referentially opaque; substituting an equal term inside a knowledge operator maychange the truth of a sentence. It is possible that Andrea knows that Lake Superior liespartly in the US, but does not know that the largest fresh-water lake lies partly in the US (forexample, if she thinks that the Caspian Sea is fresh-water.)

2.1 Propositional Modal Epistemic Logics

We begin with a very simple logic for characterizing primitive pieces of knowledge of a single agentat a single moment. In this logic, we will have three kinds of symbols.

i. Propositional atoms: A propositional atom is a symbol that denotes a particular fact aboutthe external world. Examples: the atom “Frog-Kermit” denotes the fact that Kermit is a frog.“All-men-are-mortal” denotes the fact that all men are mortal.

ii. Boolean connectives. There are five of these: ¬ (not), ∨ (or), & (and), ⇒ (implies), ⇔ (if andonly if).

iii. Modal operator. The symbol “know”.

We also use parentheses to clarify grouping.

A sentence in the logic is built up by applying Boolean connectives and the modal operator“know” to propositional atoms. Examples:

Frog-Kermit.Frog-Kermit ⇒ (Green-Kermit & Croaks-Kermit).know(Frog-Kermit).know(Frog-Kermit ⇒ Green-Kermit).know(Frog-Kermit) ∨ know(¬Frog-Kermit).know(¬(know(Frog-Kermit & Green-Kermit)) ∨ Frog-Kermit)

Formally, we define a sentence as follows:

Definition 1: In the propositional modal epistemic logic, a sentence is either

• a propositional atom; or

• an expression of the form ¬φ; φ ∨ ψ, φ&ψ, φ⇒ψ, φ⇔ψ, or know(φ), where φ and ψ are(recursively) sentences.

This logic is known as the propositional modal epistemic logic: “propositional” because the basesentences are propositional atoms; “modal” because it uses the operator “know”, which affects the

6

mode of a sentence (changes a sentence which is merely stated to one that is known); and “epistemic”because it is about knowledge. (Other modal operators include propositional attitudes, such as “Xbelieves that φ” or “X hopes that φ”; temporal operators such as “φ is always true” or “φ will betrue at some future time”; ontic operators, such as “φ is necessarily true”; deontic operators, suchas “It is obligatory that φ should be true”; and others. A modal logic with an appropriate logicalstructure can be developed for each of these.)

2.1.1 Semantics: Knowledge Base Model

It’s all very well to write down sentences about knowledge, but without a specific definition of whatthey mean, there is no way to tell whether a given set of sentences applies or what it entails. Theprecise meaning of a logic is specified by a semantics, which consists of a idealized model of theworld and an account of when a sentence in the logic is true in the model. In this tutorial, we willlook at a number of models of knowledge.

The first and simplest model is this. Consider a knowledge base which contains a collection oftrue propositional sentences with no knowledge operators. We adopt the following definition:

Definition 2: know(φ) is true if it is possible to determine that φ given the sentences in theknowledge base.

Example: Suppose that the knowledge base B contains the following three sentences.

Frog-Kermit.Frog-Kermit) ⇒ (Green-Kermit & Croaks-Kermit).All-men-are-mortal ⇔ ¬(Socrates-was-a-tailor).

Then the following sentences are all true:

• know(Frog-Kermit) — Frog-Kermit is in B.

• know(Croaks-Kermit & Green-Kermit) — “Croaks-Kermit & Green-Kermit” is a logical con-sequence of the first two sentences of B.

• ¬know(All-men-are-mortal) — All-men-are-mortal cannot be derived from B.

• ¬know(¬All-men-are-mortal) — ¬All-men-are-mortal likewise cannot be derived from B.

• know(know(Frog-Kermit)) — We have determined from the knowledge base that know(Frog-Kermit) is true, hence it is known.

• know(Frog-Kermit) ∨ know(All-men-are-mortal). — A disjunction is true if either disjunct istrue. In this case, as we have seen, the first disjunct is true.

• know(¬know(All-men-are-mortal)) — It can be proven that All-men-are-mortal cannot beproven from B.

2.1.2 Axioms for Modal Logic

We can now ask, “What are the important general properties of this definition of knowledge?” Thefollowing have been found to be particularly important:

Veridicality: What is known is true. This is a consequence of our specifying that the sentencesin the knowledge base were true. Of course, there is no way to tell whether this condition holds just

7

by looking at the knowledge base; one must know what the propositional atoms mean, and whetherthey hold in reality.

The property of veridicality can be expressed formally in the following axiom:

K.1 know(φ) ⇒ φ.

K.1 is actually an axiom schema, meaming that if any sentence is substituted for φ in K.1, theresulting instance is an axiom. Thus, the following two sentences and all sentences like them areaxioms.

know(Frog-Kermit) ⇒ Frog-Kermit.know(Frog-Kermit ∨ ¬know(Green-Kermit)) ⇒ [Frog-Kermit ∨ ¬know(Green-Kermit)].

Consequential Closure: If the agent knows a collection of sentence Γ and φ is a logicalconsequence of Γ, then the agent also knows φ. This property derives from our use of implicitknowledge, defining the agent as “knowing” any consequence of the information in his knowledgebase.

In a broader setting, this property clearly does not apply to “knowledge” in the usual sense. Itcannot be that an agent’s knowledge is closed under logical consequence; if it were, then we wouldall be perfect reasoners and anyone who knew the axiom of a mathematical field would know allthe theorems. Even in the narrower domain of propositional reasoning, the property is unrealistic;determining whether a conclusion is a consequence of a set of axioms in the propositional calculusis co-NP-complete. This property is essentially an idealization of the fact that an agent can beexpected to do some level of reasoning with his knowledge. For many simple theories of knowledgeit is by far the simplest and most natural idealization.

We can express the property of consequential closure formally as follows. We use the fact that,in many logical theories, inference can be characterized by repeated use of the single rule modusponens, “From α and α⇒β infer β”, given a suitable set of logical axioms. In such a theory, sayingthat an agent’s knowledge is closed under logical consequence is equivalent to saying that the agentknows all logical axioms and that the agent’s knowledge is closed under modus ponens. We thushave the following axiom schemata:

K.2 If φ is a logical axiom, then know(φ) is an axiom.

K.3 [know(φ) & know(φ⇒ψ)] ⇒ know(ψ).

Positive Introspection: Suppose that the agent knows φ; that is, he has been able to deriveφ. Then he should be aware that he has derived φ; that is, he knows that he knows φ. We thus havethe following axiom:

K.4 know(φ) ⇒ know(know(φ)).

Negative Introspection: Suppose that the agent does not know φ; that is, φ is not a conse-quence of his knowledge base. Then, the agent can in principle figure out that φ does not followfrom his knowledge base. That is, the agent knows that he does not know φ.

K.5 ¬know(φ) ⇒ know(¬know(φ))

This property relies on two aspects of our model. First, we are using propositional logic as thebase of our epistemic logic, and it is always in principle possible to determine whether or not a

8

K.1 know(φ) ⇒ φ.

K.2 If φ is a logical axiom, then know(φ) is an axiom.

K.3 [know(φ) & know(φ⇒ψ)] ⇒ know(ψ).

K.4 know(φ) ⇒ know(know(φ)).

K.5 ¬know(φ) ⇒ know(¬know(φ))

Table 1: Logical Axioms of the Modal Theory S5

particular conclusion follows from particular premises in propositional logic. In richer logics, such asthe predicate calculus, it is not, in general, computationally possible to establish that a conclusionis not a consequence of a set of premises. Thus an agent may be unable either to derive φ — so hedoes not know φ — or to establish that he will not be able to derive φ — so he does not know thathe does not know φ.

Second, we posited that the statements in the knowledge base are all true. In a more generalsetting, one has to admit the possibility that some statements in the knowledge base are false. Insuch a case, one can still achieve the property of veridicality, by changing the definition of knowledgeto, “φ is known if φ is a consequence of the true statements in the knowledge base.” In that case,however, a statement φ which is a consequence of the false statements in the knowledge base is notknown, but the agent cannot become aware that it is not known, since he has no way to know thatit is not true. For example, a person who believes firmly that the world is flat does not know thatthe world is flat — one cannot know that the world is flat, since it is not — but he does not knowthat his belief does not constitute knowledge. Thus, the axiom of negative introspection fails.

Table 1 summarizes these five axioms of knowledge. The modal logic characterized by theseaxioms is known as S5. (The terminology is purely historical.) The reasonableness of these axiomshas been extensively discussed in the literature; see, for example, [Lenzen, 78].

The modal theory S5 is sound and complete with respect to knowledge base models. Soundnessmeans that any knowledge base model satisfies the axioms of S5; this we have essentially establishedthis by our arguments above deriving the axioms from the model. Completeness is the followingproperty: Let T be a set of sentences that are consistent with S5. Then there is a knowledge basemodel in which all the sentences of T are true.

2.1.3 State-based definition of knowledge

We next look at a quite different model of knowledge.

Consider a device D that can be in one of a collection of states. We will say, “D knows φ at timeT ,” if,

i. the state of D at time T is S; and

ii. whenever D is in state S, φ is true.

For example, let D1 be a mercury thermometer in a room whose state at any moment is the levelof the mercury. Suppose that at time t0, the mercury points to 20 degrees Centigrade. Then at t0,D1 knows that the temperature of the room is 20 degrees, because whenever the mercury points to20 degrees, the temperature is 20 degrees. D1 also knows

9

That the temperature is greater than 10 degrees.That the temperature in degrees Centigrade is a square number.That any ice open in the room is melting.That any planar map can be colored with four colors.. . .

because all these statements are true when the mercury points to 20 degrees. On the other handD1 does not know in S that it is raining outside, or that the President of the US is a Democrat,because these statements are sometimes true when the mercury points to 20 and sometime false.

Fixing a particular device D and time T , we define the modal operator “know(φ)” to mean “Dknows φ at time T” as defined above. It is easily checked that this operator satisfies the axioms ofS5 described in the previous section. Let S be the state of D at time T .

K.1 Suppose that D knows φ at time T . Then φ is true whenever S holds. In particular, φ is trueat time T .

K.2 If φ is a logical axiom, then φ is always true. So φ is certainly always true when S holds. SoD knows φ at T .

K.3 Suppose that D knows φ in S and D knows φ⇒ψ in T . That means, by definition, that bothφ and φ⇒ψ are true whenever S holds. But if φ and φ⇒ψ are true at a given time, then sois ψ. Thus ψ is true whenever S holds; that is, D knows ψ.

K.4 Suppose that D knows φ at time T . Then D knows φ whenever S is true; that is, D knows inT that D knows φ.

K.5 Suppose that D does not know φ in T . Then D cannot know φ at any time when S holds;that is, D knows in T that D does not know φ.

Thus, though this model appears very different from the knowledge base model, its logical prop-erties are identical. Our arguments above constitute a proof that the axioms of S5 are sound for thestate-based definition of knowledge; it is also possible to show that they are complete; that is, that,given any set of sentences T consistent with the axioms S5, it is possible to construct a state-basedmodel in which all the sentences in T are true.

One strength of this definition is that it is natural to speak of multiple devices and the inter-actions of knowledge between them. Consider two different devices D1 and D2, with two differentstates. According to our definition, the statement “At time T , D1 knows that D2 knows φ,” means“Whenever D1 is in its current state, D2 knows φ”, which means “Whenever the current state ofD1 holds, D2 is in some state S2 such that, whenever S2 holds, φ is true.”

For example, let D1 be a digital thermometer that displays the temperature in a room in degrees,rounded down from the true value. Let D2 be a digital thermometer that displays temperaturesin tenths of a degree, rounded down from the true value. Now let us say that at time t0, the truetemperature “temp0” is 25.87 so that D1 displays “25” and D2 displays “25.8”. Then at time t0,

D1 knows that 25 ≤ temp0 < 26.D2 knows that 25.8 ≤ temp0 < 25.9.D2 knows that D1 knows that 25 ≤ temp0 < 26.D1 knows that one of the following is true: Either

D2 knows that 25.0 ≤ temp0 < 25.1; orD2 knows that 25.1 ≤ temp0 < 25.2; orD2 knows that 25.2 ≤ temp0 < 25.3; or

10

. . . orD2 knows that 25.9 ≤ temp0 < 26.0.

We can add this ability to speak of multiple states of knowledge to our modal language by placingthe names of the individual devices as subscripts to the “know” operator. Thus, we could write thefirst three sentences above,

knowD1(25 ≤ temp0 < 26).knowD2(25.8 ≤ temp0 < 25.9).knowD2(knowD1(25 ≤ temp0 < 26))

We can also speak of the combined knowledge of two devices. Let D3 be an outdoor thermometer,and suppose that at time t0 D3 reads 10 degrees. Then at t0, D1 and D3 combined know that it iscolder outside than in, though neither device knows this by itself. In general, D1 and D2 combinedknow φ at time T , if, at any time when both D1 and D2 are in their current states, φ is true.

Another useful concept in reasoning about multiple agents is that of their common knowledge(also called mutual knowledge.) A and B have common knowledge of φ if

A know φ;B knows φ;A knows that B know φ;B knows that A knows φ;A knows that B knows that A knows φ;B knows that A knows that B know φ;and so on.

That is, there is a perfect understanding about φ between A and B.

In the above example, thermometers D1 and D2 have common knowledge that the temperatureis between 25 and 26. By contrast, consider a thermometer D4 which displays temperatures indegrees rounded to the nearest degree, (rather than rounded down.) Then D1 and D4 do not haveany knowledge about the temperature in common! Suppose that the temperature is actually 25.87.

D1 displays 25.D2 displays 26.D1 knows that D2 either displays 25 or 26; thus D1 knows that D2 knows that thetemperature is between 24.5 and 26.5.D1 knows that D2 knows that D1 either displays 24, 25, or 26; thus D1 knows that D2knows that D1 knows that the temperature is between 24 and 27. . . .

In general, we can define common knowledge as follows:

Devices D1 and D2 have common knowledge of φ at time T ifthe state of D1 at T is an element of some set of states SS1;the state of D2 at T is an element of some set of states SS2;whenever the state of D1 is in SS1, φ is true and the state of D2 is in SS2;whenever the state of D2 is in SS2, φ is true and the state of D1 is in SS1.

By adding additional modal operators and suitable axioms, we could extend our modal theory toinclude combined knowledge and common knowledge.1 However, we will not pursue this direction.

1However, it is not possible to give a complete axiomatization of common knowledge using axioms similar to K.1through K.5.

11

E

M

N

DH

F

G

H

F GD

E

M N

Rooted Tree

Free Tree

Figure 1: Free tree of nodes

2.1.4 Applications of S5: Distributed Systems

The state-based model of knowledge and the modal theory S5 are the most common theories ofknowledge used in the analysis of distributed systems. Each element in the system is consider anagent in itself, and what it knows is determined by its entire internal state. What the system as awhole knows is determined by the combined states of all the elements.

Consider the following simple example: A network consists of a free tree of elements with undi-rected links. We wish to turn it into a rooted tree, where every elements knows which of its neighborshas been chosen as its father, so that messages can be passed up or down the tree in a well definedmanner. (Figure 1).

We consider that each node U knows the following facts about its place in a rooted tree.

• If V is a neighbor of mine, then either I am V ’s father or V is my father.

• If I am the root then I have no father.

• If I am not the root, then I have exactly one father.

Moreover, U knows who all its neighbors are.

Finally we require nodes to follow the following protocol:

If you know your relation to neighbor V , then tell V .

This protocol allows the information about the structure of the tree to be distributed among thenodes in any of a number of ways. If the systems manager tell one node that it is the root, then thestructure of the tree will percolate down from the root to the leaves. If he tells all but one node thatthey are not the root, then the structure of the tree will percolate up from the leaves to the root.

Note the extensive use of the concept of “knowledge” in this description. It is certainly possible todescribe the scenario and the protocol without the use of this concept, but using a logic of knowledgeis intuitive and elegant.

12

We can use modal propositional logic to characterize any particular network and starting condi-tion and to determine its behavior. We will use a sequence of times T0, T1, T2, ... We will use thefollowing symbols:

• For each node U and time T , the modal symbol “knowU,T (φ)” means “U knows φ at time T .”

• For each pair of nodes U, V and time T , the modal symbol “messageU,V,T (φ)” means “U sendsmessage φ at time T .”

• For each pair of nodes U, V , the proposition atom “father-U-V” means “U is the father of V.”

• For each node U , the propositional atom “root-U” means that U is the root.

Using this language, we can characterize the knowledge of every node. For example, the initialknowledge of node E in figure 1 is described in the rules:2

1. knowE,T (root-E ⇔ (father-E-D & father-E-M & father-E-N))(E knows that he is the root if and only if he is the father of all his neighbors.)

2. knowE,T (¬(father-D-E & father-M-E) &¬(father-D-E & father-N-E) &¬(father-M-E & father-N-E))

(E knows that he has at most one father.)

3. knowE,T ((father-D-E ⇔ ¬father-E-D) &(father-M-E ⇔ ¬father-E-M) &(father-N-E ⇔ ¬father-E-N)) .

(E knows for each neighbor V that either he is the father of V or vice versa.)

The protocol for node E can be characterized in the rules:

4. knowE,T (father-E-D) ⇒ messageE,D,T (father-E-D)5. knowE,T (father-D-E) ⇒ messageE,D,T (father-D-E)6. knowE,T (father-E-M) ⇒ messageE,M,T (father-E-M)7. knowE,T (father-M-E) ⇒ messageE,M,T (father-M-E)8. knowE,T (father-E-N) ⇒ messageE,N,T (father-E-N)9. knowE,T (father-N-E) ⇒ messageE,N,T (father-D-E)

Finally, the knowledge gained by E from receiving a message is characterized in the axioms

10. messageD,E,T (father-E-D) ⇒ knowE,T+1(father-E-D).11. messageD,E,T (father-D-E) ⇒ knowE,T+1(father-D-E).12. messageM,E,T (father-E-M) ⇒ knowE,T+1(father-E-M).13. messageM,E,T (father-M-E) ⇒ knowE,T+1(father-M-E).14. messageN,E,T (father-E-N) ⇒ knowE,T+1(father-E-N).15. messageN,E,T (father-N-E) ⇒ knowE,T+1(father-N-E).

We state the analogous axioms for all the remaining nodes. We initialize the protocol by statingthat at T0, H knows that it is the root.

2These and the remaining rules below are schemas: one instance for each value of T.

13

knowH,T0(root-H)

We can now prove that the knowledge disseminates down through the tree, and that every node willknow his father by time T3.

It should be noted that the proof only involves axioms A.2 and A.3 applied to sentences inthe purely propositional calculus. Though we are reasoning about knowledge, the nodes do notthemselves either about their own knowledge or about other nodes knowledge.

In section 2.2.4 we will show how this same information can be expressed more compactly usinga more expressive language.

2.1.5 Application: Three wise men

A more frivolous example which illustrates more sophisticated reasoning is the well-known puzzle ofthe three wise men.

The king summons three of his wise men and pastes on their forehead a small black dot.The wise men are facing one another, so that they can all see the dot on each othersforehead, but they do not know the color of the dot on their own. He tells them, “Oneach of your foreheads, I have placed a dot which is either white or black. I have put ablack dot on at least one of your foreheads. Do any of you know what the color on yourforehead is?”

The wise man all answer in unison, “No, your majesty”.

The king asks, “Do you now know what the color on your forehead is?”

They again answer in unison, “No, your majesty.”

The king asks, “Do you now know what the color on your forehead is?”

All three wise men answer, “Your majesty, I have a black dot on my forehead.”

How do the wise men determine this?

The solution is as follows:

After the first two questions, wise man A reasons as follows:

Suppose that I have a white dot on my forehead. Then wise man B sees that I have awhite dot and that C has a black dot. Now, in that case after the first question, wiseman B could have reasoned to himself,

Suppose that I (B) have a white dot on my forehead. Then C sees the whitedot on A and on me. Then C could reason to himself.

A’s and B’s dots are white but there is a black dot. The black dotmust be mine.

So C should have known the color of his dot before the king asked his firstquestion, and should have answered the first question. But he did not answerit. This is a contradiction: therefore the supposition was wrong. I must havea black dot.

So B should have been known the color of his own dot as soon as he saw that C did notanswer the first question, and B should have been able to answer the second question.But he did not answer it. This is a contradiction: therefore, the supposition was wrong.I must have a black dot.

14

Our analysis of this puzzle proceeds as follows. We use the following symbols:

• For each wise man X and time T , the modal symbol “knowX,T (φ)” means “U knows φ at timeT .”

• The propositional atom “speak-X-T” means that wise man X answers the question at time T.

• The propositional atom “black-X”

We now posit the following axioms:

1. black-A ∨ black-B ∨ black-C.(One of the wise men has a black dot.)

2. For each pair of wise men U, V where U 6= V and each time T,knowU,T (black-V) ∨ knowU,T (¬black-V).

(Each wise man knows the colors on the others’ heads.)

3. speak-X-T ⇔ [knowX,T (black-X) ∨ knowX,T (¬black-X)]. (A wise man answers the questionat time T just if he knows the color on his head.)

4. For each pair of wise men U, V and each pair of times T1, T2 such that T1 < T2,[speak-U-T1 ⇒ knowV,T2(speak-U-T1)] & [¬speak-U-T1 ⇒ knowV,T2(¬speak-U-T1)].

(All the agents know of all past answers and failures to answer.)

5. If φ is any sentence in (1-5) and U is a wise man, then knowU,T (φ).(All these axioms are common knowledge among the wise men. Note that (5) is recursive;thus, the agents all know axioms 1-4; they all know that they all know them; they all knowthat they all know that they all know them; and so on.)

Applying the axioms of modal logic, it can now be proven that, if none of the wise men answerbefore the third time the question is asked, then all three will be able to answer after the third time.The proof is essentially a symbolic translation of the informal argument outlined above.

What cannot be done from these axioms is to prove that none of the wise men can answer beforethe third time the question is asked. This would require showing that none of them can learn theircolor in any other way. There is no easy way to state the “frame” axiom on ignorance needed tosupport this conclusion in this kind of modal languages. (It can, however, be stated in the languageof possible worlds. (Scherl and Levesque, 93).)

2.1.6 Possible Worlds

The modal theory S5 is a very powerful one — often too powerful. In many applications, the axiomof positive introspection and, even more, the axiom of negative introspection, are unnecessary andimplausible. For such applications the modal theory S4, which consists of axioms K.1-K.4 or T,which consists of axioms K.1-K.3, are more suitable. (Dropping the axiom of consequential closure,though often desirable, is a much harder nut to crack.) Since these theories are important, it isworthwhile trying to develop semantic models for them. Such a semantic model is provided by thetheory of possible worlds. [Kripke, 63], [Hintikka, 69]

A possible world is, intuitively, one way that the world could be at a moment. A possible worldhas two aspects. First, each possible world has a content , a state of the external world aside fromthe knowledge of the agents. Secondly, the possible worlds are connected by accessibility relations,one for each agent, which characterize the knowledge states of the various agents.

15

P, Q, ~R

~P, Q, R

W1

P, Q, RW4W3

P, ~Q, ~RW2

Solid arrows are A’s accessibility relations.Dashed arrows are B’s accessibility relations.

Each world has an arrow to itself for both agents, not shown.

Figure 2: Structure of possible worlds

In a propositional logic, the content of a possible world is an assignment of truth-values to allthe propositional atoms. For instance, if the propositional atoms are p, q, r, and s, then one possibleworld might have content { p → TRUE; q → FALSE; r → FALSE; s → TRUE }. A different possibleworld might have content { p → TRUE; q → TRUE ; r → TRUE ; s → FALSE }.

A possible world is thus an abstraction of the notion of an “instant of time”, which we usedforming the state-based definition. At any instant of time, each propositional atom is either true orfalse; so in each possible world. More than one possible world can have the same content.

The intuition behind the accessibility relation is this: World W2 is accessible from W1 for agentA only if W2 is consistent with everything that A knows in W1. For example, if world W2 isaccessible from W1 and W2 has content { p → TRUE; q → FALSE; r → FALSE; s → TRUE },then this truth assignment must be consistent with everything that A knows in W2; A does notknow in W1 that this does not constitute the state of the world.

Formally, we take the accessibility relation to be primitive, and we define knowledge in terms ofaccessibility:

Definition 3: Agent K knows φ in world W iff φ is true in every world accessible from W .

Imbedded knowledge can be defined in terms of chains of accessibility relations. For example,the statement “In W1, A knows that B knows that p” is equivalent to “In every world W2 accessiblefor A from W1, B knows that p”, which is equivalent to

If W2 is accessible for A from W1 and W3 is accessible for B from W2, then p is truein W3.

Consider, for example, the structure of possible worlds shown in figure 2. The following state-ments are true.

In W1, A knows that p,because p is true in the worlds (W1 and W2) accessible for A from W1.

In W1, B does not know that p,because p is false in W3, which is accessible for B from W1.

In W1, B know that p ∨ r,

16

because p ∨ r is true in the worlds (W1 and W3) accessible for B from W1.In W1, B knows that q,

because q is true in the worlds (W1 and W3) accessible for B from W1.In W2, B knows that ¬q,

because q is false in the worlds (W2 and W4) accessible for B from W2.In W1, A knows that B knows whether q is true (that is, either B knows q or B knows¬q) because:

The worlds accessible for A from W1 are W1 and W2;In W1, B knows q;In W2, B knows ¬q.

This definition of knowledge is a generalization of the “state-based” definition of knowledge.Indeed, if we define a possible world to be an instant of time, and we define T1 and T2 to bemutually accessible for agent A if the state of A is the same in T1 and T2, then the state-baseddefinition reduces to exactly the knowledge accessibility definition.

It may seem that our definition here is circular, or at least that it puts the cart before the horse.We informally defined knowledge accessibility in terms of knowledge — world W2 is accessible fromW1 for A if everything in W2 is consistent with what A knows in W1 — and then we formallydefined knowledge in terms of accessibility. Indeed, this is not a definition of knowledge in the samesense in which definitions 1 and 2 were. It does not allow us to look at an actual situation anddetermine what any agent knows. Rather, the function of this definition is to give a concrete modelfor the modal theory. We choose a desirable theory of knowledge, construct a corresponding systemof possible worlds, and then use the system of possible worlds for reasoning about the knowledge.

The various axioms of modal epistemic logic turn out to be closely related to constraints on thestructure of the accessibility relation.

• Axioms K.2 (knowledge of the axioms) and K.3 (consequential closure) hold in any systemof possible worlds. If φ is a logical axiom, then φ must hold in every possible world, and, inparticular in every accessible possible world. If φ and φ⇒ψ hold in every accessible world,then ψ must hold in every accessible world.

• Axiom K.1, veridicality, holds if the accessibility relation is reflexive; that is, every world isaccessible from itself. Suppose that W1 is accessible from W1 and that φ is false in W1.Then there is a world accessible from W1 in which φ is false, so A does not know φ in W1.Conversely, if A does know φ in W1 then φ must be true in W1.

• Axiom K.4, positive introspection, holds if the accessibility relation is transitive; that is, forall W1, W2 and W3, if W2 is accessible from W1 and W3 is accessible from W2, then W3is accessible from W1. Suppose that it is not the case that in W1 A knows that he knows φ.Translating this into the language of possible worlds, this means that there exist worlds W2and W3 such that W2 is accessible from W1, W3 is accessible from W2, and φ is false in W3.By the transitivity property, W3 is accessible from W1. Therefore A does not know φ in W1.Conversely, if A knows φ in W1, then A knows that he knows φ in W1.

• Axiom K.5, negative introspection, holds if the accessibility relation has the Euclidean prop-erty: if W2 and W3 are both accessible from W1, then W3 is accessible from W2. Supposethat A does not know in W1 that he does not know φ. Translating this into the languageof possible worlds, this means that there exists a world W2 accessible from W1 such that Aknows φ in W2; that is, φ holds in every world W3 accessible from W2. Let WA be any worldaccessible from W1. By the Euclidean property, WA is accessible from W2; hence, as we havestated, φ is true in WA. But then, φ is true in every world accessible from W1; that is, A

17

knows φ in W1. Conversely, if A does not know φ in W1, then he knows that he does notknow φ.

There are also completeness results associated with the above correspondences: [Kripke, 63]

• Axioms K.2 and K.3 are complete over the class of systems of accessibility relations. That is,given any theory obeying K.2 and K.3, there is a possible worlds model in which the theoryholds.

• The modal theory T, containing axioms K.1, K.2, and K.3, is complete over the class of systemsof reflexive accessibility relations.

• The modal theory S4, containing axioms K.1, K.2, K.3, and K.4, is complete over the class ofsystems of accessibility relation that are reflexive and transitive.

• The modal theory S5, containing axioms K.1, K.2, K.3, K.4, and K.5 is complete over the classof systems of accessibility relation that are reflexive, transitive, and Euclidean. It should benoted that a relation is reflexive, transitive, and Euclidean just if it is an equivalence relation.

2.2 First-Order Theories of Knowledge: Modal and Other

It is well known that the propositional calculus, though useful in for finite combinatorial problems,is too limited and inexpressive for general knowledge representation. First-order logic, which allowsone to speak about objects, their properties, and their relations, is a much more expressive languageand is the most widely used language in knowledge representation. In this section we will study howto combine epistemic logic with first-order logic.

2.2.1 First-Order Logic with Equality

First, a brief review of first-order logic with equality. First-order logic uses the following types ofsymbols:

Constants: A constant symbol denotes a particular entity. E.g. “john”, “muriel” “mas-sachusetts”, “23”.

Functions: A function symbol denotes a mapping from a number of entities to a single enti-ties: E.g. “father of” is a function with one argument. “plus” is a function with two arguments.“father of(john)” is some person. “plus(2,7)” is some number.

Predicates: A predicate denotes a relation on a number of entities. e.g. “married” is a predicatewith two arguments. “odd” is a predicate with one argument. “married(john, sue)” is a sentencethat is true if the relation of marriage holds between the people John and Sue. ‘odd(plus(2,7))” isa true sentence.

A particular predicate is the equals sign “X = Y ” (written infix). The equals sign denotes theidentity relation: Two terms are equal if they denote the same entity.

Variables: These represent some undetermined entity. Examples: “X” “S1” . . .

Boolean operators: ¬, ∨, &, ⇒, ⇔.

Quantifiers: The symbols ∀ (for all) and ∃ (there exists).

Grouping symbols: The open and close parentheses and the comma.

18

The language of the predicate calculus contains terms, formulas and sentences. A term denotes aparticular entity. A sentence is a statement which is either true or false. A formula is an incompletelyfixed sentence.

A term is either

1. A constant symbol; or

2. A variable symbol; or

3. A function symbol applied to terms.

Examples: “john”, “X”, “father of(john)”, “plus(X,plus(1,3))” are terms.

An atomic formula is a predicate symbol applied to terms.Examples: “odd(X)” “odd(plus(2,2))”, “married(sue,father of(john))” are atomic formulas.

A formula is either

1. An atomic formula; or

2. The application of a Boolean operator to formulas; or

3. A quantifier followed by a variable followed by a formula.

Examples: “odd(X),” “odd(X) ∨ ¬odd(plus(X,X)),” “∃X odd(plus(X,Y )),”“∀X odd(X) ⇒ ¬odd(plus(X,3)).”

A sentence is a formula with no free variables. (That is, every occurrence of every variable isassociated with some quantifier.)

2.2.2 First Order Modal Logic

Syntactically, we incorporate the modal operator “know(A,φ)” into the predicate calculus simplyby adding a fourth way of constructing a formula. We revise the rule above as follows:

A formula is either

1. An atomic formula;

2. The application of a Boolean operator to formulas;

3. A quantifier followed by a variable followed by a formula; or

4. An expression of the form “know(µ, φ)” where φ is a formula and µ is a term denoting anagent.

Thus the following are sentences.

know(john, child(alice, charles)). — John knows that Alice is the child of Charles.know(john, ∀X on(X,table) ⇒ red(X)). —

John knows that everything on the table is red.∃A know(A, ∃Y child(Y ,charles)). —

There is someone who knows that Charles has a child.∀A ¬know(A,P = NP) & ¬know(A,P 6= NP). —

No one knows whether P = NP.

19

2.2.3 De re and de dicto modality

There are two, closely related, tricky issues in first-order modal logic: equality substitution andquantification into modal context.

As we discussed at the beginning of section 2, ordinary first-order logic is referentially trans-parent; equal terms can be substituted one for another without changing the truth of a sentence.For example given “married(oedipus,jocasta)” and “jocasta=mother of(oedipus)”, it follows that“married(oedipus,mother of(oedipus))”. In modal contexts, by contrast, this does not work. Evenif “know(oedipus, married(oedipus, jocasta))” and “jocasta=mother of(oedipus)” are both true,“know(oedipus, married(oedipus, mother of(oedipus)))” may still be false. The axiom governing thesubstitution of equal terms must therefore be restricted to contexts outside any modal operators.

By convention, sentence that contain a quantifier inside a modal operator are interpreted dif-ferently from sentences with the modal operator inside the quantifier. For example, the sentence“know(pete, ∃Y child(charles, Y ))” is read “Pete knows that Charles is someone’s child.” Thisdoes not attribute to Pete any great knowledge of Charles; after all, we all know that everyone hasparents. On the other hand, the sentence “∃Y know(pete, child(charles, Y ))” is read, “There is aparticular person Y such that Pete knows that Charles is the child of Y ”; i.e. “Pete knows theidentity of one of Charles’ parents. ”

Note that the first statement would follow from an assertion such as “know(pete, child(charles,father of(charles))).” If Pete knows that Charles is a child of his father, then he knows that Charlesis someone’s child. That degree of knowledge would certainly not justify the second sentence.On the other hand, if we said that “know(pete, child(charles, justin))”, then that would (in mostcircumstances) justify the second statement. If Pete knows that Charles is the child of Justin, thenPete knows the identity of one of Charles’ parents.

In the philosophical literature, the first of these sentences is called “knowledge de dicto” (knowl-edge of the word, in Latin) and the second is called “knowledge de re” (knowledge of the thing).Terms like “justin” that allow existential abstraction outside the scope of a modal operator arecalled “rigid designators”; terms like “father of(charles)” that do not are called “non-rigid designa-tors.” The distinction is admittedly a murky one and has been extensively studied in the literatureof modal logic and the related philosophy. For our purposes, we will simply take this as a logicalconvention: We will assume that the theory specifies which terms are rigid designators, and positthat existential abstraction of large scope can be performed only on these.

For a discussion of the complete axiomatization of first-order modal logic, see [Hughes andCresswell, 1968]

2.2.4 Applications

Using a first order modal logic, we can very much simplify the axiomatization of the examplesconsidered in section 2.1.4.

We extend the modal operator “know” to take a temporal argument as well; thus “know(A, T, φ)”means “A knows φ at time T . Table 2 gives an axiomatization of the protocol for imposing a directionon a tree-shaped distributed system.

We can specify the topology of the network in terms of the “neighbor” relation (being sure toassert that our list of neighbors is exhaustive). We can start the protocol moving by assigning onenode to the root at a particular time. We can then prove in the modal logic that all the nodes inthe tree find out their father after a certain amount of time.3

3Note, however, that this proof is for a particular network. To prove that this will work for all networks requires

20

T.1 ∀U,V,T know(U, T ,neighbor(U, V )) ∨ know(U, T ,¬neighbor(U, V )).Node U always knows who his neighbors are.

T.2 ∀U,T know(U, T ,∀V neighbor(U, V ) ⇔ neighbor(V,U)). Node U knows that its neighbor rela-tions are symmetric.

T.3 ∀U,T know(U, T , [root(U) ⇔ ∀V neighbor(U, V ) ⇒ father(U, V )]).Node U always knows that he is the root iff he is the father of all his neighbors.

T.4 ∀U,T know(U, T ,∀V,W [father(V,U) & father(W,U)] ⇒ W = V ).Node U always knows that he has at most one father.

T.5 ∀U,T know(U, T , ∀V neighbor(V,U) ⇒ [father(U, V ) ⇔ ¬father(V,U)].Node U always knows that, for each neighbor V , either U is the father of V , or V is the fatherof U , but not both.

T.6 ∀U,V,T know(U, T ,father(U, V )) ⇒ message(U, V, T ,father(U, V )).If U knows that he is the father of V , he should tell V .

T.7 ∀U,V,T know(U, T ,father(V,U)) ⇒ message(U, V, T ,father(V,U)).If U knows that he is the child of V , he should tell V .

T.8 ∀U,V,T,X,Y message(U, V, T ,father(X,Y )) ⇒ know(V, T + 1,father(X,Y )).V believes the messages he gets from U .

Table 2: Axiomatization of “tree” protocol in first-order modal logic.

The use of first-order modal logic for the three wise men problem is analogous.

2.2.5 Direct Use of Possible Worlds

Another approach to using first-order logic for epistemic reasoning is to talk directly about the kindof possible worlds model discussed in section 2.1.6. In this way, it is possible to represent epistemicstatements and to do epistemic reasoning without the explicit use of any modal operators or modallogic.

First, we have to extend the notion of a possible world. The intuition is the same as before: apossible world is one way that the world could be. Since we are moving to a richer theory, however,the actual structure of the possible world becomes more complete. In the propositional case, thecontent of a possible world was a truth assignment to the propositional atoms. In the first-order case,the content of a possible world is an interpretation: that is, a mapping from each constant symbolto an entity, from each function symbol to a mapping over the domain of entities, and from eachpredicate symbol to a relation over the space of entities. For example, suppose that John does notwhether Sacramento or San Francisco is the capital of California. That means that, in some possibleworlds accessible for John, Sacramento is the capital of California while in others San Francisco isthe capital of California. This, in turn, means that in the first of these worlds, the interpretationof the symbol “capital” includes the pair <Sacramento, California>, while in the second world, itincludes the pair <San Francisco, California>.

The key technical device here is in developing a representation along these lines is the use offluents. A fluent is something that has different values in different possible worlds. A Boolean fluent istrue in some possible worlds and false in others. For example “capital(sacramento, california)” is true

second-order logic, or a special-purpose induction axiom.

21

in some worlds and false in others. Other fluents take values that are not truth-values. For example,if John does not know whether Alice’s father is Mike or Sid, then the fluent “father of(alice)” hasthe value Mike in one world and Sid in another. Any object-level statement (that is, any statementnot involving knowledge) of which any agent can be uncertain must be represented by a Booleanfluent. Any term whose value is not universally known must be represented by a non-Boolean fluent.

We can now develop the first-order language of possible worlds as follows:

The domain of entities contains:

1. Agents, who have knowledge.

2. Things of the usual kind.

3. Possible worlds.

4. Fluents.

The symbols in the language include

1. Those symbols that are normally used to describe the external world. However, function andrelation symbols must be interpreted as mapping their arguments onto fluents.

2. The relation “true in(W,B)” holds on world W and Boolean fluent B if B is true in W .

3. The function “value in(W,F )” maps world W and non-Boolean fluent F to the value of F inW .

4. The relation “k acc(A,W1,W2)” means that world W2 is accessible from world W1 for agentA.

5. The constant “w0” represents the real world.

Examples:

• ∀W1 k acc(john,w0,W1) ⇒ true in(W1,child(alice,charles)).The fluent “child(alice,charles)” holds in every world accessible from w0 for John.John knows that Alice is the child of Charles.

• ∀W1 k acc(john,w0,W1) ⇒∀X true in(W1,on(X,table)) ⇒ true in(W1,red(X)).

For every world W1 accessible for John from w0, every object which on the table in W1 is redin W1.John knows that everything on the table is red.

• ∀W1 k acc(john,w0,W1) ⇒ ∃X true in(W1,capital(X,california)).In every world accessible for John, there is something which is the capital of California.John knows that California has a capital.

• ∃X ∀W1 k acc(john,w0,W1) ⇒ true in(W1,capital(X,california)).There is a particular city which is the capital of California in every world accessible for John.John know which city is the capital of California.

As the last two examples above illustrate, the difference between de re and de dicto knowledge isexpressed in the language of possible worlds by the relative scopes of the quantification over objectsand the quantification over possible worlds. In the de dicto sentence

22

∀W1 k acc(john,w0,W1) ⇒ ∃X true in(W1,capital(X,california)).

we assert that in each accessible world, California has a capital, but the identity of that capital mayvary from one world to the next; in some it may be Sacramento and in other San Francisco. In thede re sentence

∃X ∀W1 k acc(john,w0,W1) ⇒ true in(W1,capital(X,california)).

there must be a particular city — namely, Sacramento — which is the capital of California in allpossible worlds. Thus, a rigid designator in this theory is a fluent whose value is the same in allpossible worlds, while a non-rigid designator is one whose value changes from one world to the next.

2.2.6 Syntactic Representations

There is yet a third approach to the representation of epistemic facts, called syntactic representation.In this theory, we view knowledge as a relation between a string of characters. For example, thefact that John knows that Alice is the child of Charles is expressed in the statement “know(john,≺child(alice,charles)≻)”, where the term ≺child(alice,charles)≻ denotes simply the string of 20 char-acters, starting with ‘c’ and ending with a close parenthesis, between the curly angle brackets. (Thecurly angle brackets themselves are just string delimiters, like quotation marks.)

We can then develop a theory of knowledge by developing a first-order theory of strings ofcharacters and expressing properties of knowledge in terms of these. For example, if we want ourtheory to have the consequential closure property, this can be achieved in an axiom of the followingform:

∀A,S1,S2 know(A,S1) & know(A,catenate(S1,≺⇒≻,S2)) ⇒ know(A,S2)

(Note: This is a single axiom, not an axiom schema. S1 and S2 are first-order variables that rangeover strings. “catenate(SA, SB, SC)” is a function mapping three strings to the string that resultsfrom concatenating them. Here, we are catenating an implies sign ‘⇒’ between the antecedent andthe consequent of an implication.)

The different between syntactic theories and modal theories is roughly analogous to the differencebetween direct quotation (“John said ‘I am hungry’ ”) and indirect quotation (“John said that hewas hungry.”) Any kind of sayable or writable string may be imbedded in direct quotation, whileonly meaningful strings may be embedded in indirect quotation. “John said ‘Arglebargle glumph’ ”is meaningful while “John said that arglebargle glumph” is not. Purely syntactic predicates, whichrelate only to the form of the utterance, may be used of the object of direct quotation; for example,one can say “John said something that began with ‘T’ and ended with ‘y’.” Analogously, in asyntactic theory, the expression, “know(john,≺,⇒X∀ ∨ cat≻)” is well formed (though false), whilenothing of the kind is well formed in a modal theory. Similarly, in a syntactic theory we cansay, “John knows a string that contains ≺Napoleon≻ as a substring”; nothing of the kind can beexpressed in a modal theory.

Syntactic representations have two major strengths. First, they are an extremely expressivelanguage. Statements like “John knows something that Bill doesn’t;” “Vladimir knows the first26 digits of π;” “Kathy knows a rule which gives sufficient conditions for appendicitis in terms ofobservable symptoms,” “The database keeps a log of the exact text of all transaction entries” can allbe expressed quite directly in a syntactic representation, while they can be expressed only clumsilyif at all in a modal or a possible worlds representation.

23

Second, the foundations of first-order modal and possible worlds theories rest on concepts thatare obscure and ill-defined: the de re / de dicto distinction; the notion of a rigid designator; thenotion of a possible world and of accessibility between possible worlds; and so on. By contrast, indeveloping a syntactic representation it is at least clear what category we are talking about; namely,strings of characters and their properties.

However, there are also significant disadvantages to syntactic representations:

• The representation is clumsy. Typically, statements of any complexity involve putting togetherstrings by long catenations of terms of various kinds representing strings. Imbedded quotationslead to even greater complexity. This can be visually ameliorated by adopting a variety ofsyntactic conventions, but these are themselves complicated. [Morgenstern, 88], [Davis, 90].

• Using a syntactic representation eliminates much of the advantages of having a semantic model.One of the main purposes of a semantic model is that one can reason directly about the modeland thus avoid doing the syntactic manipulations involved in creating explicit proofs. In asyntactic theory, one ends up doing syntactic manipulations anyway.

• Sufficiently powerful syntactic theories lead to paradox. In a syntactic theory of knowledge, itis possible to construct a sentence Φ that essentially states “A does not know Φ.” Now is Φtrue or false? Suppose Φ is false; then A does know Φ; then Φ must be true, by the veridicalityproperty. Thus the assumption that Φ was false is contradictory, so Φ must be true. Thus,we have proven that logically, Φ must be true. But by axiom K.2, A knows all truths that arelogically necessary. Therefore A knows that Φ. But to say that A knows Φ is to deny Φ; so Φis false.

This is known as the Knower’s Paradox; it is exactly analogous to the better known LiarParadox, which involves the sentence, “This sentence is false.” A variety of solutions to theseparadoxes have been developed. Mostly, they either involve restricting the language so thatsuch sentences are ill-formed or using a multi-valued logic, where sentences can be consideredtrue, false, or unfounded.

• No effective method is known for automating reasoning in a syntactic representation.

2.3 Application: Knowledge Preconditions for Plans

The question of whether an agent is able to carry out a plan may be divided into two parts. First,is the plan physically feasible for the agent; that is, is it physically possible to carry out the actionsspecified by the plan? Second, is the plan epistemically feasible; that is, does the agent know enoughto perform the plan? A plan like “Make money at the roulette wheel by betting on the numbersthat win,” is not a useful one; though the physical actions involved are feasible, there is no way tofind out in time what they are.

The epistemic feasibility of a plan depends both on the knowledge the agent has at the beginningof execution, and on the knowledge he gains during the course of execution. For example, supposethat Edith does not know Frank’s phone number, but she has a directory in which she knows thathis name is listed. In that case, she is not immediately able to carry out the plan “dial Frank’snumber,” but she is immediately able to carry out the plan “sequence(look up Frank’s number; dialFrank’s number)”.

Reasoning about the epistemic feasibility of plans requires a theory that integrates temporalreasoning with reasoning about knowledge. In order to determine whether an agent knows enoughto perform a plan, we must be able to characterize what knows at the beginning of the plan, andhow the state of the world and the knowledge of the agent change as a result of the execution of the

24

plan. Like the relation, “At time T agent A knows fact φ”, the relation, “At time T , agent A knowsenough to perform plan P” is referentially opaque (intensional) in its final argument. Edith doesnot at this moment have enough information to perform the action “Dial Frank’s phone number”,but she does have enough information to perform the action “Dial 998-3123” which is extensionallythe same action.

The problem of epistemic feasibility may be divided into two parts:

1. The knowledge preconditions (KP) problem for actions. Characterizing whether an agentknows enough to perform a single specified action in a given situation. For example, expressingthe fact that Edith does not now have enough information to execute “Dial Frank’s officenumber”; however, if she finds out that “Frank’s office number is 998-3123” then she will haveenough information. (We are here viewing dialing a seven-digit number as an single atomicaction, rather than as a series of separate finger movements.)

2. The KP problem for plans. For example, determining that the plan “sequence(look up Frank’snumber; dial Frank’s number)” is epistemically feasible for Edith, given that she knows that,after looking up Frank’s number, she will know what his number is.

Clearly, a solution of the KP problem for plans must rest on a solution of the KP problem for actions.

The KP problems for actions is generally addressed as follows: An action E is epistemicallyfeasible for agent A at time T iff A knows at T a specific behavior that constitutes that actionin T . Edith cannot execute dial Frank’s number because she does not know what behavior wouldconstitute dialing Frank’s number. If she finds out that dialing 998-3123 constitutes dialing Frank’snumber, then she will know how to dial Frank’s number. In other words, in order to perform theaction “Dial Frank’s number,” she must know what that action is. As we have discussed above(section 2.23, 2.25) the notion of “knowing what Q is” is represented in formal theories by usinga existential quantifier of larger scope than the modal operator. In addressing the KP problemfor plans, we will here consider only plans consisting of a fixed sequence of primitive actions bythe agent himself. Richer categories of plans are considered in the literature: for example, [Moore,85] considers plans with conditionals and loops; [Morgenstern, 87] considers plans involving severalagents; [Davis, 93] considers indeterminate plans.

For sequences of primitive actions, we posit the following rule:

The plan “sequence(E1, E2 . . . Ek)” is epistemically feasible for A starting in S if A knowsin S that

• E1 is epistemically feasible in S;

• After E1 has completed, E2 will be epistemically feasible;

• After E1 and E2 have completed, E3 will be epistemically feasible;. . .

• After E1, E2 . . . Ek−1 have completed, Ek will be epistemically feasible.

For example, the plan “sequence(look up Frank’s number; dial Frank’s number)” is epistemicallyfeasible because Edith now knows how to look up Frank’s number, and she knows that, after shelooks up his number, she will know how to dial it. The plan “sequence(look up Harvey’s number;dial Frank’s number)” is not feasible because after executing the first step, Edith will not know howto execute the second; that is, she will not know what dialing action constitutes dialing Frank’snumber.

25

3 Automated Reasoning

In section 2, we have discussed at length what can be inferred in various epistemic representations.We now discuss how an automated reasoner can actually infer it.

The study of automated epistemic reasoning is still in a comparatively primitive state. In thestudy of automated reasoning in ordinary first-order logic, there is an extensive literature of manydifferent techniques and representation of varying degrees of expressivity, completeness, efficiencyand domains of application. Nothing of the kind exists for epistemic reasoning.

In addition to the specific techniques that we will survey here, there is a small body of work onworst-case complexity results for inference in various epistemic theories. See [Halpern and Moses,85], [Shoham, 88].

3.1 Multiple Contexts

The most natural implementation of epistemic reasoning and probably the most frequently used inpractice4 is to multiple contexts. The basic idea here is that for each state of knowledge, or stateof imbedded knowledge, one creates a separate context of object-level statements. Inference withineach single context uses “ordinary” first-order inference techniques. Inference from one context toanother uses special purpose inference rules.

Example: Suppose we are given the following facts:

In T1, A knows p and r.In T1, B knows p ⇒ q and knows r.In T1, A knows that B knows r.A tells p to B during [T1, T2].

We begin by initializing a number of contexts corresponding to time T1,

Context T1A (what A knows in T1) : { p, r }Context T1B (what B knows in T1) : { p ⇒ q, r}Context T1AB (what A knows that B knows in T1): { r }

We also create the corresponding contexts T2A, T2B, and T2AB for time T2. These are initializedto be null and are filled in through inference rule.

First, we can apply a frame inference, that agents do not forget what they know. This gives us

Context T2A: { p, r }Context T2B: { p ⇒ q, r }Context T2AB: { r }

Next we can apply an inference rule associated with “tell”: If A tells φ to B during [T1, T2],then in T2, B knows φ and A knows that B knows φ. Thus we update contexts T2B and T2AB tocontain p.

Context T2B: { p ⇒ q, r, p }.Context T2AB: { p, r }

4For example, CYC [Lenat and Guha, 90] uses a variant of this method.

26

Finally we can apply modus ponens within context T2B.

Context T2B: { p ⇒ q, r, p, q }

As this example illustrates, frequently much of the knowledge will be the same in several contexts.Knowledge base management can therefore be made more efficient if facts are labelled with contexts,as in CONNIVER [McDermott and Sussman, 73] or ATMS [de Kleer, 85], rather than copying theknowledge base as a whole.

The major limitation of this approach is its limited expressivity. The only type of partial infor-mation that is directly represented is partial knowledge within the context. Therefore, facts such asthe following are clumsy or impossible to express.

A knows p or A knows q.A knows who the President of the Congo is.The man with the white hat knows p.A will know p when the bell rings. (partial specification of time.)A knows that B does not know p.

Other issues that arise include

• How are new contexts generated?

• What are the cross-context inference rules?

• What closed world assumptions should be made? If T1A does not contain fact w, should weconclude that, in T1, A knows that w is false? or that he does not know whether it is trueor false? If T1AB does not contain fact w, should we conclude that A knows that B knowsthat w is false? or that A knows that B does not know whether w? or that A does not knowwhether B knows whether w?

3.2 Possible worlds representation

The idea here is simple. Translate all epistemic statements to a first-order language of possibleworlds and use a standard proof technique for first-order logic.

Example: Given:1. Joe knows that a person always knows whether he is hungry.

∀W1 k acc(joe,w0,W1) ⇒∀X [[∀W2 k acc(X,W1,W2) ⇒ true in(W2,hungry(X))] ∨[[∀W3 k acc(X,W1,W3) ⇒ ¬true in(W3,hungry(X)]].

2. Joe knows that Fred is hungry.∀W4 k acc(joe,w0,W4) ⇒ true in(W4, hungry(fred)).

To prove:3. Joe knows that Fred knows that he is hungry.

∀W1 k acc(joe,w0,W1) ⇒∀W2 k acc(fred,W1,W2) ⇒ true in(W2, hungry(fred)).

Using the standard resolution procedure, we begin by Skolemizing 1 and 2 and the negation of 3.

27

1. ¬k acc(joe,w0,W1) ∨ ¬k acc(X,W1,W2) ∨ true in(W2,hungry(X)) ∨¬k acc(X,W1,W3) ∨ ¬true in(W3,hungry(X)).

2. ¬k acc(joe,w0,W4) ∨ true in(W4,hungry(fred)).

Negation of 3:3.A. k acc(joe,w0,w5).3.B. k acc(fred,w5,w6).3.C. ¬true in(w6,hungry(fred)).

The axiom of veridicality is equivalent to reflexivity of the accessibility relation (section 2.1.6).4. k acc(X,W,W ).

The resolution proof is then straightforward.

The major disadvantage of this approach is that the proofs generated are not easy to under-stand, both since they are couched in the unnatural language of possible worlds, and since they arecharacteristically proofs by contradiction.

3.3 Proof techniques within modal logic

A number of techniques have been developed extending standard proof techniques to modal logics(e.g. [Geissler and Konolige, 86], [Frish and Scherl, 91].) These tend to be complicated. They are, soto speak, halfway between the method of contexts and the method of possible worlds. One generatecontexts in the course of theorem proving. These may correspond to a partially specified agent, or avariable ranging over a class of agents, or one disjunctive possibility of what an agent might know,thus extending the expressivity of the language of contexts.

3.4 Proof in syntactic theories

A syntactic theory is first-order, so in principle first-order proof techniques should work. Theproblems are:

• The theory of quoted strings is a complex and rich one, comparable to the theory of arithmetic.Finding good proofs in such a theory is difficult and requires specialized techniques.

• Proof techniques must know to avoid paradoxical sentences.

There is very little on this problem in the literature.

3.5 Vivid Reasoning

Halpern and Vardi (1991) argue for the use of vivid reasoning (Levesque, 86) — that is, reasoningbased on the inspection of fully elaborated, constructive models — in epistemic reasoning. Theirsuggestion is that, given an epistemic theory, one construct a specific model of possible worldsinstantiating the theory. One can then check whether a sentence Φ is true by checking whether itholds in the model.

The problem with this approach is that with vivid reasoning generally (Davis, 91); it is verydifficult to know whether Φ is true because it is a consequence of the original theory or whether itjust happens to be true because the way the model was chosen.

28

Peripheral References

Most of the references in this paper are to papers in the larger bibliography attached. A few,however, are to AI papers not specifically dealing with epistemic reasoning. The citation for theseare given here.

Ernest Davis (1991). “Lucid Representations” NYU Tech. Rep. #565.

Johan de Kleer. (1986). “An assumption-based TMS.” Artificial Intelligence, vol. 28, pp. 127-162.

Douglas Lenat and R.V. Guha (1990). Building Large Knowledge-Based Systems. Addison Wesley.

Hector Levesque. (1986). “Making Believers out of Computers.” Artificial Intelligence, vol. 30, pp.81-108.

Drew McDermott and Gerry Sussman (1972). “The CONNIVER Reference Manual.” AI Memo259, MIT.

29